Phishers Target .ca Domain Name Owners

Phishing scams are targeting domain name owners, including one that sent emails from a domain that resembles the Canadian Internet Registration Authority (CIRA) in an effort to trick registrants into providing usernames and passwords for their domain management accounts.

The CIRA warned .ca domain owners about the scam, which sends emails orginating from the address complaince@cira.cc, rather than the group's official compliance email address, compliance at cira.ca. The use of such "look-alike" domains has become common in phishing scams targeting financial institutions. The scam email says the CIRA is "exercising our right to verify the registrant information." This tactic mimics legitimate emails sent in recent weeks by numerous registrars, who sought to verify account information ahead of an ICANN rule change.

"CIRA has learned that an unknown party is attempting to obtain CIRA User Account Numbers and Passwords from dot-ca registrants by sending MISLEADING EMAIL NOTICES that appear to originate from CIRA," the group said in a statement. "These misleading emails request that CIRA User Account Numbers and Passwords be provided to validate registrant information and prevent domain name suspension (inactivation)." The CIRA emphasizes that it does not ever ask registrants to share login credentials via email.

The .cc domain is a top-level domain for the Cocos Islands, a small island nation in the Indian Ocean that makes the .cc domain available to registrars. The CITA appears to have gained control of the cira.cc domain which is now registered to a CIRA representative.

Although the use of similar domains can add considerable credibility to an attack, it also gives the institution an opportunity to defend its customers, and creates precisely the scenario anticipated by our domain fraud detection service. This allows domain owners to pre-empt such frauds through prompt action as soon as they notice domains that may be attempting to masquerade as their institution. Netcraft's service can often spot such suspicious domain registrations within 24 hours.